Hulk DoS tool analyzed and mitigated

On 17 May, security researcher Barry Shteiman released Hulk (HTTP unbearable load king). It is, as its name suggests, a denial-of-service (DoS) tool that operates by sending an unbearable load of HTTP requests to the target web server, overloading it and bringing it to a standstill.

Hulk was designed for educational and research purposes. It helps people better understand the process of a DoS attack, and understand their own defenses against a DoS attack. The thing is, it works – from a single attack host. “Basically my test web server with 4gb of Ram running Microsoft IIS7 was brought to its knees under less than a minute, running all requests from a single host,” wrote Shteiman. Given the continuous rise in crowd sourced hacktivism, this educational exercise could conceivably be used for genuinely malicious intent – and a mitigation strategy is important.

First off the mark was Trustwave’s SpiderLabs, who one day later published Thor – ‘thumping http obvious requests’ (maintaining the Marvel comics theme). SpiderLabs noticed that although Hulk randomizes the request payloads to avoid detection, the request header ordering is always identical. “This ordering is a unique fingerprint for this tool as no other legitimate web clients have this header ordering.” SpiderLabs consequently produced Thor, a ModSecurity rule specifically, and successfully, to recognize and mitigate against Hulk attacks. “As an added benefit, using the ModSecurity drop action,” noted SpiderLabs, “seems to cause HULK to freeze. After receiving the initial 10 requests, and issuing the drop, HULK sits idle and does not send anymore requests.”

ModSecurity is a widely used open source application firewall. But not everybody uses it. Now Prolexic, a specialist DDoS mitigation company, has released its own analysis of Hulk. It describes an “effective mitigation method that,” claims Proloexic’s COO Neal Quinn, can be implemented on any WAF or content switch, and transform the HULK back into Dr. Banner.”

Prolexic also notes four separate ‘flags’ within a Hulk attack, including the header ordering noted by Thor, that can be used to provide a signature, and defines a specific Snort rule that can be used to detect and neutralize it.

“There is a lot at stake for businesses online,” he says, “whether it’s a matter of money, reputation, regulatory compliance or business continuity. No one wants to be down for a second, let alone hours or days. Consequently, any threat can cause panic. While many DDoS threats are very real and severe, in the case of HULK, panic is not necessary.”